Convisia Privacy Policy

CONVISIA LLC PRIVACY POLICY

Effective Date: March 16, 2026

Last Updated: March 2026

Version 1.0

Senior Legal Advisor’s Note: This Privacy Policy has been prepared by Convisia LLC in accordance with applicable United States (New York) law, the European Union General Data Protection Regulation (GDPR), UK GDPR, and other applicable international data protection laws. It applies to all participants, clients, and website visitors regardless of their country of residence.

Privacy at a Glance

• We collect only the personal data needed to deliver our programmes and process bookings.
• We do not sell your personal data – ever.
• You have the right to access, correct, and delete your data at any time by contacting mail@convisia.org.
• EU, EEA, and UK participants have additional rights under GDPR and UK GDPR – see Section 9.
• Our website uses cookies – you can manage your preferences at any time via the cookie settings link.

1) WHO WE ARE — DATA CONTROLLER

Convisia LLC is the data controller responsible for your personal data.

Business Name: Convisia LLC
Principal Contact: Dr. Constanze Quosh
Primary Business Address: New York, United States
Website: convosia.org (or as updated)
Data Protection Contact Email: mail@convisia.org

If you have any questions, concerns, or requests regarding this Privacy Policy or how your personal data is handled, please contact us at mail@convisia.org.

2) SCOPE AND APPLICABILITY

This Privacy Policy applies to all personal data collected, processed, or stored by Convisia LLC in connection with:

Registration and booking for Women’s Circles, courses, and wellness programs (virtual and in-person);
Use of the Convisia website and WooCommerce online shop;
Electronic signing of participant agreements and waivers via SignNow;
Participation in virtual sessions (e.g., Zoom or equivalent video platform);
In-person sessions held at venues in New York;
Email communications and newsletter subscriptions;
Any other direct or indirect interaction with Convisia LLC.

EU/EEA & UK Participants: Participants located in the European Union, European Economic Area, or United Kingdom have additional rights under the GDPR and UK GDPR respectively. These rights are set out in Section 9 of this Policy. Where the GDPR or UK GDPR applies, Convisia LLC acts as the data controller within the meaning of Article 4(7) GDPR.

3) WHAT PERSONAL DATA WE COLLECT

3.1 Registration and Booking Data

When you register for a program, course, or Women’s Circle, we collect:

Full name and email address;
Phone number (where provided);
Billing and payment information (processed via WooCommerce payment gateway — Convisia does not store full card details);
Order/booking reference numbers;
Country or region of residence (including whether you are located in the EU/EEA or UK, for the purpose of applying applicable data protection law).

3.2 Agreement and Waiver Data (SignNow)

When you electronically sign the Participant Agreement or Location Waiver, SignNow collects and provides to us:

Your full legal name as entered at signing;
Your electronic signature;
Date and timestamp of signing;
IP address and device metadata (collected by SignNow as part of the audit trail).

3.3 Health and Wellness Information (Special Category Data)

IMPORTANT: Health-related information you disclose — including medical conditions, injuries, mental health matters, or circumstances relevant to participation — constitutes Special Category Data under GDPR Article 9. We collect this only where you voluntarily provide it and only to the extent necessary to safely facilitate your participation. Convisia does not require health disclosures beyond what is reasonably.

3.4 Emergency Contact Information

For in-person participants, we may collect emergency contact details (name and phone number of a nominated contact person). This data is used solely in the event of a medical or safety emergency during an in-person session.

3.5 Session Participation Data

During virtual sessions, we may collect:

Connection logs and session attendance records;
Communications or messages shared within the session platform (where applicable);
Feedback or testimonials voluntarily submitted by participants.

3.6 Website and Cookie Data

When you visit our website, we may automatically collect:

IP address and browser type;
Pages visited and time spent on the site;
Referral source;
Cookie identifiers (see Section 7 — Cookies).

3.7 Media and Promotional Data (Consent-Based)

Where you have given explicit written consent (via a separate Media and Data Use Consent Form), we may collect and use:

Photographs or video recordings from in-person or virtual sessions;
Testimonials or written feedback for promotional purposes;
Participation data for anonymised programme research or service development.

Note: Collection of media and promotional data is entirely optional and always subject to separate, explicit, and freely given consent. EU/EEA and UK participants receive a dedicated consent form at registration. You may withdraw consent at any time without penalty or effect on your participation.

4) HOW AND WHY WE USE YOUR DATA — LEGAL BASES

Convisia LLC processes personal data only where a valid legal basis exists. The following table sets out our purposes and the legal basis for each.

Purpose of Processing	Legal Basis
Processing bookings and payments	Performance of a contract (GDPR Art. 6(1)(b)); NY contract law
Sending booking confirmation and course access details	Performance of a contract (Art. 6(1)(b))
Sending the Participant Agreement / Waiver for e-signature	Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c))
Verifying participant eligibility and program suitability	Legitimate interests (Art. 6(1)(f)): ensuring safe and appropriate participation
Health/medical disclosures you voluntarily share	Vital interests (Art. 9(2)(c)) or Explicit consent (Art. 9(2)(a))
Emergency contact use during in-person sessions	Vital interests (Art. 6(1)(d) / Art. 9(2)(c))
Maintaining signed agreement records	Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)): evidence of consent and risk management
Sending program updates, scheduling changes, and service communications	Performance of a contract / legitimate interests
Marketing emails and newsletters	Consent (Art. 6(1)(a)) — separate opt-in required; US participants: CAN-SPAM Act
Photography, video, testimonials for promotional use	Explicit consent (Art. 6(1)(a); Art. 9(2)(a) if health data implicated)
Anonymised research and programme improvement	Legitimate interests (Art. 6(1)(f)) — all identifying data removed before analysis
Legal compliance and defence of claims	Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f))

5) DATA SHARING AND THIRD-PARTY PROCESSORS

We do not sell your personal data. We share your data only as set out below.

5.1 Third-Party Service Providers (Processors)

WooCommerce / WordPress (Automattic): Booking, order management, and payment processing infrastructure. Data stored on servers operated by Automattic, Inc. (US). Covered by Automattic’s Data Processing Agreement.

SignNow (airSlate Inc.): Electronic signature collection and storage. Audit trail data including IP address, timestamp, and signature metadata. Covered by airSlate’s DPA and standard contractual clauses for EEA data.

Video Conferencing Platform (e.g. Zoom): Facilitating virtual sessions. Participants connect to sessions via the provider’s infrastructure. Governed by the provider’s own privacy policy and DPA.

Email Service Provider: Delivering booking confirmations, program communications, and newsletters. Configured with appropriate DPA.

Payment Gateway: Processing card and payment transactions. Full card details are processed by the gateway, not stored by Convisia.

5.2 Venue Operators (In-Person Sessions)

For in-person sessions, participant attendance as well as location liability waiver may be shared with the venue operator solely for access, safety and liability purposes where required by the venue. No financial or health data is shared with venues.

5.3 Legal Disclosure

We may disclose personal data to law enforcement, courts, or regulatory authorities where required by applicable law or in connection with the exercise or defence of legal claims.

6) INTERNATIONAL DATA TRANSFERS

Convisia LLC is based in New York, United States. Some of our third-party processors operate in or transfer data to countries outside the EU/EEA and UK.

For EU/EEA Participants: Where your data is transferred outside the European Economic Area, Convisia LLC ensures an adequate level of protection through one or more of the following mechanisms: (a) EU Standard Contractual Clauses (SCCs) as approved by the European Commission; (b) reliance on an adequacy decision; or (c) participation in the EU–U.S. Data Privacy Framework (DPF) by the relevant processor.

For UK Participants: Transfers from the UK are protected through UK International Data Transfer Agreements (IDTAs) or reliance on UK adequacy regulations. The UK has currently determined the EU to be adequate. Transfers to the US are covered by the applicable UK data transfer mechanism (UK IDTA or the UK Extension to the EU SCCs).

You may request details of the specific transfer safeguards applicable to your data by contacting us at mail@convisia.org.

7) COOKIES AND WEBSITE TRACKING

Our website uses only strictly necessary cookies required for the WooCommerce shop and Stripe payment processing to operate. We do not use analytics, advertising, marketing, or tracking cookies. Because only strictly necessary cookies are set, no cookie consent banner is required.

Cookies used on this website:

WooCommerce session cookies (woocommerce_cart_hash, woocommerce_items_in_cart, wp_woocommerce_session_*) — maintain shopping cart and checkout session state. Duration: session / up to 2 days.

WordPress authentication cookies (wordpress_*, wordpress_logged_in_*) — used only for participants with a registered account; maintain login session. Duration: session or up to 14 days if “remember me” is selected.

Stripe payment cookies — set by Stripe.js during checkout solely for fraud prevention and payment security. Duration: session.

If we introduce any non-essential cookies in the future (such as analytics tools), this policy will be updated and a cookie consent mechanism will be implemented before any such cookies are deployed.

Do Not Track: Our website does not currently recognise or respond to browser Do Not Track (DNT) signals, as no tracking technologies are in use.

8) DATA RETENTION

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law.

Data Category	Retention Period	Justification
Booking and payment records	7 years	NY accounting and tax law; contract record requirements
Signed participant agreements and waivers	7 years from date of signing (or 3 years post-programme if longer)	Statute of limitations for contract and tort claims under NY law; GDPR proportionality
Health disclosures / special category data	Duration of programme + 1 year, unless retained for vital interests	Minimal retention; deleted promptly when no longer necessary
Emergency contact information	Duration of programme only	No post-programme purpose
Marketing consent records	Until consent is withdrawn + 3 years for evidence of consent	CAN-SPAM; GDPR Art. 7(1) — burden of proof for consent
Website and analytics data	Up to 26 months (standard analytics retention)	Cookie consent policy
Session attendance / participation records	2 years from programme end	Programme administration
Media / promotional content (with consent)	Until consent withdrawn or 5 years, whichever is earlier	Proportionality; consent-based

9) YOUR RIGHTS

9.1 Rights Applicable to All Participants (US and International)

Regardless of your location, you have the right to:

Access the personal data we hold about you;
Request correction of inaccurate or incomplete data;
Request deletion of your data where it is no longer necessary (subject to legal retention obligations);
Withdraw consent at any time for processing based on consent (e.g., marketing, media use) without affecting the lawfulness of prior processing;
Object to processing based on legitimate interests.

9.2 Additional Rights for US State Residents

Depending on the US state in which you reside, you may have additional rights regarding your personal data under applicable state privacy laws. We do not sell personal data. To exercise any applicable state privacy rights, please contact us at mail@convisia.org.

9.3 Additional Rights for EU/EEA Participants (GDPR)

GDPR Rights: If you are located in the EU/EEA, you additionally have the right to: (a) Data portability (Art. 20): receive your data in a structured, machine-readable format; (b) Restriction of processing (Art. 18): request that we limit how we use your data in certain circumstances; (c) Not be subject to solely automated decision-making with legal or significant effect (Art. 22); (d) Lodge a complaint with your national supervisory authority (e.g., the German Datenschutzbehörde, the Irish DPC, or your local EU Member State authority).

9.4 Additional Rights for UK Participants (UK GDPR)

UK GDPR Rights: If you are located in the United Kingdom, you have the same rights as EU participants above, and may lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk. You may also have rights under the UK Consumer Rights Act 2015 in relation to services purchased through our WooCommerce shop.

9.5 How to Exercise Your Rights

To exercise any of the above rights, please submit a written request to:
Email: mail@convisia.org
Subject line: Data Subject Request — CONVISIA — Dr. Constanze Quosh

We will respond within 30 days (or within one month for GDPR purposes). We may ask you to verify your identity before processing your request. Where requests are complex or numerous, we may extend this period by a further two months with prior notice.

10) DATA SECURITY

Convisia LLC implements appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These measures include:

Encryption of data in transit (HTTPS/TLS) for all web communications;
Use of reputable third-party processors with their own security certifications;
Secure electronic signing via SignNow (SOC 2 Type II certified audit trail);
Access controls limiting staff access to data on a need-to-know basis;
Regular review of data processing practices and third-party agreements.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected individuals and, where required, the relevant supervisory authority within the timeframes required by applicable law (72 hours under GDPR; promptly under applicable US law).

11) CHILDREN’S PRIVACY

Convisia LLC’s programs are designed for adult participants (18 years and older). We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us with personal data without appropriate consent, please contact us immediately at mail@convisia.org and we will take steps to delete the data.

12) MARKETING COMMUNICATIONS

We will only send you marketing or promotional communications if you have opted in. You may unsubscribe at any time by:

Clicking the unsubscribe link in any marketing email;
Contacting us at mail@convisia.org with the subject line ‘Unsubscribe’.

We comply with the US CAN-SPAM Act for all marketing emails sent to US recipients. For EU/EEA and UK participants, separate opt-in consent is obtained for each marketing purpose via the Media and Data Use Consent Form at registration.

13) CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. Where material changes are made, we will:

Update the ‘Last Updated’ date at the top of this Policy;
Notify registered participants by email (for significant changes);
Re-seek consent where required by law (e.g., where a new processing purpose requires fresh consent).

Continued use of our services after the effective date of any update constitutes acceptance of the revised Policy, to the extent permitted by applicable law. EU/EEA and UK participants will always be notified separately of material changes.

14) COMPLAINTS

If you have a concern about how we handle your data, please contact us first at mail@convisia.org. We will endeavour to resolve your concern promptly.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

EU Participants: Your national Data Protection Authority (DPA). A full list is available at edpb.europa.eu.
German-Based Participants: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) or the relevant state Datenschutzbehörde.
UK Participants: Information Commissioner’s Office (ICO), ico.org.uk, Tel: 0303 123 1113.
US Participants: We are committed to working with you directly. You may also contact the Federal Trade Commission (FTC) at ftc.gov.

15) CONTACT US

Convisia LLC
Data Controller — Privacy Matters
Dr. Constanze Quosh
New York, United States
Email: mail@convisia.org
Website: convisia.org

16) EXTERNAL LINKS AND THIRD-PARTY WEBSITES

Our website may contain links to external websites and social media platforms (including LinkedIn and Instagram) as well as links to third-party payment processors. Clicking on these links may allow third parties to collect or share information about you. Convisia LLC does not control these third-party websites and is not responsible for their privacy practices or content. We encourage you to read the privacy policy of every website you visit.

17) BUSINESS TRANSFER

In the event that Convisia LLC undergoes a merger, acquisition, reorganisation, or sale of all or part of its assets or business, your personal data may be transferred to the acquiring or successor entity as part of that transaction. We will notify you – by email and/or a prominent notice on our website – of any such change in ownership or use of your personal data, and you will retain the right to exercise any applicable rights set out in Section 9 of this Policy.